Saturday, 24 April 2010

HOWTO: LDAP Client on 10.04 Lucid Lynx

This is essentially the same as my previous Hardy Heron LDAP howto but with some steps removed. Rather than edit the old article I thought I'd just reproduce it with the appropriate parts omitted. This howto is also relevant to Jaunty and Karmic. The LDAP Server howto can be found here.

You will again be asked a bunch of questions; LDAP server Uniform Resource Identifier: ldap://ldap.tuxnetworks.com Distinguished name of the search base: dc=tuxnetworks,dc=com ldap://ldap.tuxnetworks.com 3 Make local root Database admin: Yes Does the LDAP database require login? No LDAP account for root: cn=admin,dc=tuxnetworks,dc=com LDAP root password: (The server LDAP root password)

Now we need to edit the following files;

~$ sudo vi /etc/ldap.conf

and edit these lines to look like this;

bind_policy soft

pam_password crypt

Find the line that begins with uri ldapi:// . . .

Comment the line out and replace it with a line like so;

uri ldap://ldap.tuxnetworks.com/

Edit this file;

~$ sudo vi /etc/ldap/ldap.conf

Edit it to look like this;

BASE dc=tuxnetworks,dc=comURI ldap://ldap.tuxnetworks.com

SIZELIMIT 0TIMELIMIT 0DEREF never

Edit nsswitch.conf

~$ sudo vi /etc/nsswitch.conf

Enter the following lines;

passwd: files ldapgroup: files ldapshadow: files ldap

hosts: files dnsnetworks: files

protocols: db filesservices: db filesethers: db filesrpc: db files

Now update nss to use ldap.

~$ sudo nss_updatedb ldappasswd... done.group... done.

Note:

If you get an error . . .Failed to enumerate nameservice: No such file or directory

. . . then check that your uri line in /etc/ldap.conf is correct and the address is pingable.

You should now be able to check the server with;

~$ ldapsearch -x

That command should output a tonne of stuff from the server LDAP directory.

getent passwd

You should now be able to login to the client via ssh using the user "brettg"s credentials

Brett, thanks for this great tutorial.I have joined 5 ubuntu lucid clients to our Lucid LDAP server and it works perfect.One thing: I realize that password expiration does not trigger, even when sambaPwdMustChange is 0, the lucid client can still login.Could you please point me in the right direction?

Hi, very good global tuto from what I already checked on the net.It worked well nearly up to the end but I can't log my client (ubuntu 10.04) against the server.I got two errors pop up after the login screen:could not update ICEauthority file /home/myuser/.ICEauthority and then usr/lib/ligconf2-4/gconf-sanity-check-2 exited with status 256..It appears that the /home/users is not mounted (so probably the rest of the problem (nautilus can create /home...).Even manually: mount -t nfs IP_ldap_server:/home/users /home/usersthe mount is not active. NFS problem ?thanks for any help

sorry for my previous comment, I missed the nfs share ... login is now successful. My last problem is that samba share is browseable but i can't access it (NT_STATUS_LOGON_FAILURE) when logged in with an ldap user.Any hints are welcomeThanks again for your work !!

Here's a tip about something that took me a lot of time.If you configure a LDAP based addressbook in Thunderbird nothing will happen, it doesn't even ask for a password.This is because Thunderbird, in my opinion, acts extremely stupid.Only when you enter at least one character in the search box in the address book panel Thunderbird will ask for a password and the addresses will start displaying.If the search box is cleared the list of addresses is emptied.

In order to have 'gentent passwd' working, I had to re-enter the URI line from /etc/ldap.conf in /etc/nslcd.conf plus '/etc/init.d/nslcd restart'. After that, 'getent passwd' worked like a charm.I love Ubuntu for changes like that :-(

I noticed that this thread says that the prerequisites are to have an NFS server to export home directories... as a newbie, I'm wondering how to install an NFS server as this isnt included in the tutorial. I was also under the assumption that SAMBA and (SMB) function as an NFS server... no? Please help. Just want to be able to login using my UID and PW and have a mounted home directory on the ubuntu desktop.

I hv used ur blog and put the settings as defined by you but I m facing the following issues:

I hv a problem in authenticating with the LDAP Server...

Its not able to bind the user with Crypt passwords but the other password algorithms like MD5, SSHA, SHA are working fine, the problem is that I have migrated all the accounts from NIS so all the old accounts are having crypt password..

2nd thing is that if I am creating a new account or modifying the previous account password to other password algorithm and logging through SSH on the server with the username/password but after giving passwd command its changing the password automatically to crypt algorithm, how can I restrict it to a certain algorithm and moreover if the password is having crypt algorithm it is not able to change the password it is not taking the old password and displaying...

Thanks for this tutorial, it helps me a lot for our school. Would you mind if i publish a translation (in french), adapted for Belgian (Wallonia) school ? I haven't seen a license on your work, and i'd like to put it under Creative-commons By-Sa...

thanks for the article. There aren't many cookbook explanations using modern versions of openldap and ubuntu.

though I'm not clear why you are installing nss-updatedb. this seem to be only used for storing local db cache copies. https://help.ubuntu.com/community/PamCcredsHowtois a good explanation of configuring it.

Hi, I've followed this guide to set up a network with ubuntu 10.4 LTS ans winxp pro sp3 clients, with xp clients it works perfectly but I've some troubles with linux clients...First I've got to add add this lines in the the /etc/ldap.conf uri ldap://@ipserveruri ldaps://@ipserveruri ldapi://@ipserverotherwise the getent passwd doesn't work.But even if the getent passwd works, the ldapsearh -x command show me a thing like "32 results, No such objet."When I try to logon with gnome I've got this erreur : authentification failed.(I'm sur my logon and password is correct.)

hi Brett thans for the great tutorial it is really good ut wirjed wonders for me I just have a small concern I cannot log in as a local user of the machine, as the root user. I want it to tchek the etc/passwd before going to the LDAP database, any ideas? Please I really need this to work.

But with gnome I'v got this error :Could not update /home/user/.ICEauthority.I changed the owner with chown to the user but, it doesn't change anything.I can only logon with window user's on the ubuntu server but with ubuntu clients it work only in consol mode....It's cool but a little sad.

Hi Brett, Thanks for the wonderful document with the help of the doc i have configured the ldap server with samba completely.Now I do where to create the user for the domian users in the PHP Ldapadmin, and also please guide me how to configure the ldap in Windows.

My issue is that I need to not use NFS for home dirs (which I know this tutorial is based on). This is because I have a laptop that will not always be on the LDAP network, so I need to have local homes. I have found some articles on using pam_ccreds, but I'm wondering if anyone knows an easier way?

hey drei and all the others with the same challenge as drei,did anyone finally figure out the solution?!ive been at this for hours and days and wks and havnot yet succeeded!any help would b greatly appreciated!Riza

I have followed the guide and have managed to implement the authentication side no problems. Clients authenticate against the server but when I try to implement the home directories section of the tutorial I get several error messages appear and have not yet worked out how to sort this out. If anyone has any idea please help as I need to get the client and servers operational soon. I see others have had the same problem.

I followed all the steps in the tutorial, and I can't login with other users (except for those that are already in my client - the user i called "vbox").

Altough I sort of can login with a user from my LDAP server, but I have to "switch users" (leaving my default client user open) while I login with the "external" one. Once I login with that user, I get the same error that Jonny had yesterday (ICEAuthority) :(

I have another question:When you mention "'servername:/home/users /home/users nfs defaults 0 0'" In the tutorial, should I leave servername as it is, or should I replace it with my own servername?

this is a bit confusing to me, because it's the first time i'm setting up this kind of network.

Sorry I forgot to mention that. I am getting these errors when I login from an Ubuntu 10.04 desktop. It authenticates against the ldap server but has problems with the home directories and NFS stuff by the looks of things. It does the same with an OpenSuse 11.3 desktop client.

I am getting these when I enter username and password to logon to the client machine. It authenticates fine but then fails due to the error messages above. I am not entering any commands when I get these, just a username and password on the client login screen.

sir that all i follow n executed it every well . i can login using the username n password on the client machine ... but wht about the rights how ll i be able to give selected persmision to selected users ... can any 1 pls help me on this